Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[Need help] Eushully La Dea of Libra MEMORIA
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
fluxxx
How do I cheat?
Reputation: 0

Joined: 07 May 2014
Posts: 2

PostPosted: Wed May 07, 2014 2:41 am    Post subject: [Need help] Eushully La Dea of Libra MEMORIA Reply with quote

I found this thread for an older game from the same publisher:
viewtopic.php?p=5471048

They probably use some encryption on this new game, but I am not pro enough to crack their memory encryption. Tried using the table from the old thread, but somethings different in this game.

Anyone with mad skills that could help me with the encryption? No need for a complete trainer if I can search for values myself
Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285

PostPosted: Sat May 10, 2014 6:40 am    Post subject: Reply with quote

I don't like the ikusa megami series so I'm not going to get this one, however I can give you directions as to how to hack it, if you're up for it.

It'd be a rough ride though, so you'd need to know a bit of assembly, and you'd also need to be familiar with pointers (pointerscanner and manual finding).

_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
fluxxx
How do I cheat?
Reputation: 0

Joined: 07 May 2014
Posts: 2

PostPosted: Sat May 10, 2014 6:52 am    Post subject: Reply with quote

Thanks for the offer, but I'm not good with assembly at all. Have some programming experience from C#/PHP/VB, but no low-level languages.

I found out this game is pretty easy because you can trigger random battles with the spacebar so I made a macro that auto-levels my chars while I do something else.

You have some links to some tutorials I could start to read up on? It would be nice if i could edit the assembly code for the previous game to this one, but I don't need the cheat table, basic search/edit/freeze would be fine.
Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285

PostPosted: Sat May 10, 2014 8:30 am    Post subject: Reply with quote

Assembly knowledge is needed to read the en/decryption function and identify 2 parameters I need.
That being said age.exe itself is just a script interpreter so you could try to run la dea with madou koukaku's exe. I know their engines are backward compatible, so if there aren't too many new engine features in their latest game, 1 generation forward compatibility *might* work.

Otherwise if all you need is "set to a random huge value" and "freezing" (and "scanning") you can do that without decrypting. Just use unknown initial value (datatype=4 bytes) and only filter with changed/unchanged.

If you or anyone else is interested, here is how to make a table that keeps working once you've located the variable you wanna hack, regardless of whether is is encrypted or not. It works for madou koukaku (MK), I hope it still works on other versions of the interpreter (given the shortcuts I've taken).
EDIT: rewrote this tutorial after guiding harizsama.
1-Scan for the string "ARCGameEngine" (NOT unicode) there should be only one result that is not green. Its address should end with a small number (it's xxxx0028 for MK). Subtract 8 from this address and scan for it as a 4 byte integer (hex mode).
2-Add all green results to your cheat table, they are all potential pointer bases. Based on madou koukaku's hacks and harizsama's feedback it is likely that the correct pointer base will look like "AGE.EXE+00270xxx" (warning: unreliable hint).

3-Locate the in-game value that you want to hack via changed/unchanged scans.
4-Find out what accessed this address, and play until you have a result that reads this address (ie: the "[]" brackets are on the right side of the comma "," ).
5-Select it and click show disassembler and scroll up until you find the equivalent of my 5D3D0 in your game. This will be the first offset of your pointer.
Hint: use the "ret 4" lines as marks:
Code:
AGE.EXE+1B328 - C2 0400               - ret 0004 <---------------------------------------------
AGE.EXE+1B32B - 8B 10                 - mov edx,[eax]
AGE.EXE+1B32D - 8B 81 D0D30500        - mov eax,[ecx+0005D3D0] <- Note the 5D3D0 from here
AGE.EXE+1B333 - 8B 14 90              - mov edx,[eax+edx*4]
AGE.EXE+1B336 - 8B 81 5CE80500        - mov eax,[ecx+0005E85C]
AGE.EXE+1B33C - 89 55 FC              - mov [ebp-04],edx
AGE.EXE+1B33F - 89 45 F8              - mov [ebp-08],eax
AGE.EXE+1B342 - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B345 - C1 C0 0B              - rol eax,0B
AGE.EXE+1B348 - 33 45 F8              - xor eax,[ebp-08]
AGE.EXE+1B34B - C1 C8 19              - ror eax,19
AGE.EXE+1B34E - 89 45 FC              - mov [ebp-04],eax
AGE.EXE+1B351 - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B354 - 5E                    - pop esi
AGE.EXE+1B355 - 8B E5                 - mov esp,ebp
AGE.EXE+1B357 - 5D                    - pop ebp
AGE.EXE+1B358 - C2 0400               - ret 0004 <---------------------------------------------
AGE.EXE+1B35B - 8B 91 50D40500        - mov edx,[ecx+0005D450]
AGE.EXE+1B361 - 8B F2                 - mov esi,edx
AGE.EXE+1B363 - C1 E6 04              - shl esi,04
AGE.EXE+1B366 - 2B F2                 - sub esi,edx
AGE.EXE+1B368 - 8B 10                 - mov edx,[eax]
AGE.EXE+1B36A - 8B 84 F1 84D40500     - mov eax,[ecx+esi*8+0005D484]
AGE.EXE+1B371 - 8B 14 90              - mov edx,[eax+edx*4]
AGE.EXE+1B374 - 8B 81 5CE80500        - mov eax,[ecx+0005E85C]
AGE.EXE+1B37A - 89 55 FC              - mov [ebp-04],edx
AGE.EXE+1B37D - 89 45 F8              - mov [ebp-08],eax
AGE.EXE+1B380 - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B383 - C1 C0 0B              - rol eax,0B
AGE.EXE+1B386 - 33 45 F8              - xor eax,[ebp-08]
AGE.EXE+1B389 - C1 C8 19              - ror eax,19
AGE.EXE+1B38C - 89 45 FC              - mov [ebp-04],eax
AGE.EXE+1B38F - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B392 - 5E                    - pop esi
AGE.EXE+1B393 - 8B E5                 - mov esp,ebp
AGE.EXE+1B395 - 5D                    - pop ebp
AGE.EXE+1B396 - C2 0400               - ret 0004 <---------------------------------------------
AGE.EXE+1B399 - 8B 91 50D40500        - mov edx,[ecx+0005D450]
AGE.EXE+1B39F - 8B F2                 - mov esi,edx
AGE.EXE+1B3A1 - C1 E6 04              - shl esi,04
AGE.EXE+1B3A4 - 2B F2                 - sub esi,edx
AGE.EXE+1B3A6 - 8B 10                 - mov edx,[eax]
AGE.EXE+1B3A8 - 8B 84 F1 90D40500     - mov eax,[ecx+esi*8+0005D490]
AGE.EXE+1B3AF - 8B 14 90              - mov edx,[eax+edx*4]
AGE.EXE+1B3B2 - 8B 02                 - mov eax,[edx]  <- this is the line that popped up in my find out what access.... window
AGE.EXE+1B3B4 - 8B 89 5CE80500        - mov ecx,[ecx+0005E85C]
AGE.EXE+1B3BA - 89 45 FC              - mov [ebp-04],eax
AGE.EXE+1B3BD - 89 4D F8              - mov [ebp-08],ecx
AGE.EXE+1B3C0 - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B3C3 - C1 C0 0B              - rol eax,0B <-note what you have here instead of "0b", it'll be useful for the decryption
AGE.EXE+1B3C6 - 33 45 F8              - xor eax,[ebp-08]
AGE.EXE+1B3C9 - C1 C8 19              - ror eax,19     <-same as above for the 0x19.
AGE.EXE+1B3CC - 89 45 FC              - mov [ebp-04],eax
AGE.EXE+1B3CF - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B3D2 - 5E                    - pop esi
AGE.EXE+1B3D3 - 8B E5                 - mov esp,ebp
AGE.EXE+1B3D5 - 5D                    - pop ebp
AGE.EXE+1B3D6 - C2 0400               - ret 0004  <-consider all "ret 4" as separators -------------

6-Now that you have a pointer base and a first offset, add this pointer to your table [[your pointer base]+Your first offset]+0 (ex: [["AGE.EXE"+00270818]+0005D3D0]+0 for madou koukaku). This should point to the same memory block as the game variable you're trying to hack, but always with a smaller address. I believe it points to the base of the buffer that contains game variables, or at least I'll call it that way.
7-Calculate address_you_want_to_hack - base_of_game_variable_buffer. This will be the topmost offset of your pointer. Normally [[your pointer base]+Your first offset]+Topmost_offset will now point to whatever you were trying to hack, and this pointer is still valid after you restart the game.
Topmost offsets can be enormous, ex the pointer to money is MK is [["AGE.EXE"+00270818]+0005D3D0]+5C484 .

And if you want to break the encryption while you're at it:
8-Select your [[your pointer base]+Your first offset]+0 pointer and press ctrl+B (browse memory at this location) and look at the bottom pane of the memory viewer.
9-Scroll up 1-5 lines and you'll see a 4 byte pattern that repeats itself a lot, this is the encryption key (well sorta, it's actually 0 in encrypted form, but we can use that as decryption key). Make yourself a pointer to one instance of this 4 byte sequence, [[your pointer base]+Your first offset]-4 is a good candidate. Otherwise adjust the topmost offset as needed, but make sure it's always a multiple of 4.
10-Grab Eushully framework.ct posted a few posts below, edit the "get crypto key" script, and replace "[["AGE.EXE"+00270990]+5D708]-4" with your pointer to the decryption key.
11-Do the same thing for the "0 here means decryption OK" cheat record.
12-Go to table->show table lua script, you'll notice 4 instances of "#14" in this script. Remember the 0b and 0x19 I told you to note in step 5? Calculate ror_count (0x19) - ror_count (0B) = E (14 in decimal) and replace the 14 from those #14 with the result of your calculation.
13-Save your table, restart cheat engine and open your table table. Normally a new datatype (AGE Engine encrypted int) should be available in your "value type" drop down list, allowing you to see through the encryption, you can even make your scans with it. But it only works after enabling "Get crypto key".
14-That's all folks.

_________________
DO NOT PM me if you want help on making/fixing/using a hack.


Last edited by Gniarf on Mon Jun 15, 2015 3:36 am; edited 1 time in total
Back to top
View user's profile Send private message
harizsama
How do I cheat?
Reputation: 0

Joined: 30 May 2015
Posts: 7

PostPosted: Sat May 30, 2015 3:17 am    Post subject: Reply with quote

Sorry for necromancing this one.. just got the game a week ago.. haha..

so, i've found 3 value for now (Gold, Skil Point, and points for his goddess body) but i'm little lost at "find the region that contains your variable and note its address (Let's call it BaseOfRegion1) and size." from the first point. What does it mean?
what should i search from this place?



CE tet.PNG
 Description:
 Filesize:  73.26 KB
 Viewed:  73426 Time(s)

CE tet.PNG


Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285

PostPosted: Sat May 30, 2015 6:57 am    Post subject: Reply with quote

harizsama wrote:
i'm little lost at "find the region that contains your variable and note its address (Let's call it BaseOfRegion1) and size." from the first point. What does it mean?
It means take a scrap of paper and write "BaseOfRegion1=3D000000 , size=3d2f000". The 3D000000 will change next time you start the game, though.

harizsama wrote:
what should i search from this place?
Nothing. You just need those numbers for calculation in the other steps, for example at step 2 you'll determine that the topmost offset for your first cheat is 3d032d0c-3D000000=32d0c.

Size is also useful to locate Region1 after restarting the game without having to do the (un)changed scans again. I don't remember if size is always exactly the same, but it doesn't vary much and it's always huge.

_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
harizsama
How do I cheat?
Reputation: 0

Joined: 30 May 2015
Posts: 7

PostPosted: Sat May 30, 2015 9:22 am    Post subject: Reply with quote

Ahh... i see..
btw.. i dont close them for now.. playing with makro to get some exp while i slept... Very Happy

then the base of region 1 should be 3D032000 with size=3CFD000, right? but when i go to point no.4 i cant find something. so, i used 3D000000 and found some addresses.
Going to point no.5 with the address of non-green ARCGameEngine =02FF9028 (yup, it's xxxx28!), so the BaseOfRegion2=02FF9000.
then calculating those, 03056758 - 02FF9000 - 0x20 = 2nd Offset.
but, what's -0x20 and +0x20 mean..?
or, did i turn wrongway at somepoint again..?



La Dea Test 2.PNG
 Description:
 Filesize:  72.6 KB
 Viewed:  73375 Time(s)

La Dea Test 2.PNG


Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285

PostPosted: Sat May 30, 2015 2:06 pm    Post subject: Reply with quote

harizsama wrote:
then the base of region 1 should be 3D032000 with size=3CFD000, right?
What?! I just told you "BaseOfRegion1=3D000000 , size=3d2f000", where does that 3D032000 come from?
harizsama wrote:
so, i used 3D000000 and found some addresses.
Going to point no.5 with the address of non-green ARCGameEngine =02FF9028 (yup, it's xxxx28!), so the BaseOfRegion2=02FF9000.
then calculating those, 03056758 - 02FF9000 - 0x20 = 2nd Offset.
This is correct.
harizsama wrote:
but, what's -0x20 and +0x20 mean..?
In C/C++, 0xNumber means "this is an hexadecimal number". You see, if I had said "BaseOfRegion2+20" some people would have understood 02FF9000+20=02FF9020, but some would have understood 02FF9000+14 because 20 in decimal is 14 in hex.

03056758 - 02FF9000 - 0x20=5D738 . Since the corresponding value was 5D400 for madou koukaku, you're probably on the right track.


btw once you get a working pointer, do you want to try breaking the encryption?

_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
harizsama
How do I cheat?
Reputation: 0

Joined: 30 May 2015
Posts: 7

PostPosted: Sat May 30, 2015 8:23 pm    Post subject: Reply with quote

Gniarf wrote:
What?! I just told you "BaseOfRegion1=3D000000 , size=3d2f000", where does that 3D032000 come from?

Bwahaha~! Really sry.. Well, it was from my first attempt guessing which one is the base.. as i'm guessed it might work the same way like BaseOfRegion2.. from 02FF9028 to 02FF9000.. so i thought BoR1 might be, 3D032000~

Gniarf wrote:
In C/C++, 0xNumber means "this is an hexadecimal number". You see, if I had said "BaseOfRegion2+20" some people would have understood 02FF9000+20=02FF9020, but some would have understood 02FF9000+14 because 20 in decimal is 14 in hex.
03056758 - 02FF9000 - 0x20=5D738 . Since the corresponding value was 5D400 for madou koukaku, you're probably on the right track.
btw once you get a working pointer, do you want to try breaking the encryption?


Thanks!
but errmm.. Sorry again.. Messed up that one in the end. Misunderstood "restart the game" as "exit the game, and then open it again". So, i restarted my work from the scratch.. twice.. but hey, it's done nicely this time.. Very Happy
Okay~ if we gonna going for the next step, My kokoro is ready!



La Dea Test 3.PNG
 Description:
 Filesize:  657.23 KB
 Viewed:  73331 Time(s)

La Dea Test 3.PNG


Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285

PostPosted: Sat May 30, 2015 11:08 pm    Post subject: Reply with quote

Oops sorry, but I just noticed I made a mistake in my directions. On La Dea Test 2.PNG the address of gold ends with 0C and on La Dea Test 3.PNG it ends with 24 so using topmost offset=gold address-BoR1 is a shortcut that doesn't work, I guess we'll have to do i properly, so it'll get ugly.
Keep your pointer to BoR2 ( age.exe+27099{other digits} ), it will still be useful.

A-Ok, right click on gold address->find out what access... and play until you have a result that looks like "mov e**,[e**]" the important thing is that the "[e**]" is on the right side of the ",".
B-Select it and click "show disassembler" and you'll see something like this (code is from madou koukaku):
Code:
AGE.EXE+1B396 - C2 0400               - ret 0004
AGE.EXE+1B399 - 8B 91 50D40500        - mov edx,[ecx+0005D450]
AGE.EXE+1B39F - 8B F2                 - mov esi,edx
AGE.EXE+1B3A1 - C1 E6 04              - shl esi,04
AGE.EXE+1B3A4 - 2B F2                 - sub esi,edx
AGE.EXE+1B3A6 - 8B 10                 - mov edx,[eax]
AGE.EXE+1B3A8 - 8B 84 F1 90D40500     - mov eax,[ecx+esi*8+0005D490]
AGE.EXE+1B3AF - 8B 14 90              - mov edx,[eax+edx*4]
AGE.EXE+1B3B2 - 8B 02                 - mov eax,[edx]  <- this is the line that popped up in my find out what access.... window
AGE.EXE+1B3B4 - 8B 89 5CE80500        - mov ecx,[ecx+0005E85C]
AGE.EXE+1B3BA - 89 45 FC              - mov [ebp-04],eax
AGE.EXE+1B3BD - 89 4D F8              - mov [ebp-08],ecx
AGE.EXE+1B3C0 - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B3C3 - C1 C0 0B              - rol eax,0B  <- rol is here, take note of the 0B, we'll need that number when dealing with the encryption.
AGE.EXE+1B3C6 - 33 45 F8              - xor eax,[ebp-08]
AGE.EXE+1B3C9 - C1 C8 19              - ror eax,19  <- ror is here, note the 0x19.
AGE.EXE+1B3CC - 89 45 FC              - mov [ebp-04],eax
AGE.EXE+1B3CF - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B3D2 - 5E                    - pop esi
AGE.EXE+1B3D3 - 8B E5                 - mov esp,ebp
AGE.EXE+1B3D5 - 5D                    - pop ebp
AGE.EXE+1B3D6 - C2 0400               - ret 0004
C-I just checked my madou koukaku pointer to region 1 and is was [AGE.EXE+270818]+5D3D0, but I'm not sure about how I got the 5D3D0. One method that might give you an equivalent is to scroll up and look at all "mov ***, [ecx+5****]".
Each time you have a "mov ***, [ecx+5****]" , ecx=BoR2+0x20, so make yourself a pointer with a base at age.exe+27099?? a first offset: the number after "ecx+", and a topmost offset of 0. If that points points to something within the same region as your money, use is as your Region1 pointer and calculate the topmost offset to your gold from this address.

Example:
My money is at 44061be0, inside a region that starts at 0x44000000.
Base of region 2 is 0x2830000 ("ARCGameEngine" is at 2830028).
The pointer to BoR2+0x20 is "AGE.EXE"+00270818.
(start reading from the bottom)
Code:
AGE.EXE+1B328 - C2 0400               - ret 0004 <---------------------------------------------
AGE.EXE+1B32B - 8B 10                 - mov edx,[eax]
AGE.EXE+1B32D - 8B 81 D0D30500        - mov eax,[ecx+0005D3D0] <- I probably took the 5D3D0 from here
AGE.EXE+1B333 - 8B 14 90              - mov edx,[eax+edx*4]
AGE.EXE+1B336 - 8B 81 5CE80500        - mov eax,[ecx+0005E85C]
AGE.EXE+1B33C - 89 55 FC              - mov [ebp-04],edx
AGE.EXE+1B33F - 89 45 F8              - mov [ebp-08],eax
AGE.EXE+1B342 - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B345 - C1 C0 0B              - rol eax,0B
AGE.EXE+1B348 - 33 45 F8              - xor eax,[ebp-08]
AGE.EXE+1B34B - C1 C8 19              - ror eax,19
AGE.EXE+1B34E - 89 45 FC              - mov [ebp-04],eax
AGE.EXE+1B351 - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B354 - 5E                    - pop esi
AGE.EXE+1B355 - 8B E5                 - mov esp,ebp
AGE.EXE+1B357 - 5D                    - pop ebp
AGE.EXE+1B358 - C2 0400               - ret 0004 <---------------------------------------------
AGE.EXE+1B35B - 8B 91 50D40500        - mov edx,[ecx+0005D450]
AGE.EXE+1B361 - 8B F2                 - mov esi,edx
AGE.EXE+1B363 - C1 E6 04              - shl esi,04
AGE.EXE+1B366 - 2B F2                 - sub esi,edx
AGE.EXE+1B368 - 8B 10                 - mov edx,[eax]
AGE.EXE+1B36A - 8B 84 F1 84D40500     - mov eax,[ecx+esi*8+0005D484]
AGE.EXE+1B371 - 8B 14 90              - mov edx,[eax+edx*4]
AGE.EXE+1B374 - 8B 81 5CE80500        - mov eax,[ecx+0005E85C]
AGE.EXE+1B37A - 89 55 FC              - mov [ebp-04],edx
AGE.EXE+1B37D - 89 45 F8              - mov [ebp-08],eax
AGE.EXE+1B380 - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B383 - C1 C0 0B              - rol eax,0B
AGE.EXE+1B386 - 33 45 F8              - xor eax,[ebp-08]
AGE.EXE+1B389 - C1 C8 19              - ror eax,19
AGE.EXE+1B38C - 89 45 FC              - mov [ebp-04],eax
AGE.EXE+1B38F - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B392 - 5E                    - pop esi
AGE.EXE+1B393 - 8B E5                 - mov esp,ebp
AGE.EXE+1B395 - 5D                    - pop ebp
AGE.EXE+1B396 - C2 0400               - ret 0004 <---------------------------------------------
AGE.EXE+1B399 - 8B 91 50D40500        - mov edx,[ecx+0005D450]
AGE.EXE+1B39F - 8B F2                 - mov esi,edx
AGE.EXE+1B3A1 - C1 E6 04              - shl esi,04
AGE.EXE+1B3A4 - 2B F2                 - sub esi,edx
AGE.EXE+1B3A6 - 8B 10                 - mov edx,[eax]
AGE.EXE+1B3A8 - 8B 84 F1 90D40500     - mov eax,[ecx+esi*8+0005D490]
AGE.EXE+1B3AF - 8B 14 90              - mov edx,[eax+edx*4]
AGE.EXE+1B3B2 - 8B 02                 - mov eax,[edx]  <- this is the line that popped up in my find out what access.... window
AGE.EXE+1B3B4 - 8B 89 5CE80500        - mov ecx,[ecx+0005E85C]
AGE.EXE+1B3BA - 89 45 FC              - mov [ebp-04],eax
AGE.EXE+1B3BD - 89 4D F8              - mov [ebp-08],ecx
AGE.EXE+1B3C0 - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B3C3 - C1 C0 0B              - rol eax,0B
AGE.EXE+1B3C6 - 33 45 F8              - xor eax,[ebp-08]
AGE.EXE+1B3C9 - C1 C8 19              - ror eax,19
AGE.EXE+1B3CC - 89 45 FC              - mov [ebp-04],eax
AGE.EXE+1B3CF - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B3D2 - 5E                    - pop esi
AGE.EXE+1B3D3 - 8B E5                 - mov esp,ebp
AGE.EXE+1B3D5 - 5D                    - pop ebp
AGE.EXE+1B3D6 - C2 0400               - ret 0004  <-consider all "ret 4" as separators -------------


Taking the line that accessed my gold, and going upward I'm going to try:
[["AGE.EXE"+00270818]+0005D450]+0 , unfortunately this points to 5E27****, outside the region at 0x44000000
[["AGE.EXE"+00270818]+0005E85C]+0 , same as above
[["AGE.EXE"+00270818]+0005D3D0]+0 , points to 4400575C which is in the same region as my gold, so I'll use this as my BoR1 pointer.
The topmost offset to my gold will thus be 44061be0-4400575C=5C484, and finally the gold pointer will be [["AGE.EXE"+00270818]+0005D3D0]+5C484.
If you encounter a bunch of "int 3" before finding a valid pointer, give up. Normally, if you restart (exit+reopen) the game, this will still point to your gold without you having to do any kind of work.

harizsama wrote:
Misunderstood "restart the game" as "exit the game, and then open it again"
Err, actually when I said restart the game, I really meant exit game then open it again.

As for the encryption, we'll wait until we have properly working pointers. Just remember the 0B and 0x19 (or the equivalent in your version of the game)from the ror/rol lines, these 2 numbers are important parts of the cipher.

Again, sorry the error in my previous explanation.

_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
harizsama
How do I cheat?
Reputation: 0

Joined: 30 May 2015
Posts: 7

PostPosted: Sun May 31, 2015 6:22 pm    Post subject: Reply with quote

Gniarf wrote:

On La Dea Test 2.PNG the address of gold ends with 0C and on La Dea Test 3.PNG it ends with 24 so using topmost offset=gold address-BoR1 is a shortcut that doesn't work, I guess we'll have to do i properly, so it'll get ugly.

Errr.... so thats why both offset keep changing and their value always gone to "??" everytime i restarted (exit and re-open) the game, huh... :')

Gniarf wrote:
A-Ok, right click on gold address->find out what access... and play until you have a result that looks like "mov e**,[e**]" the important thing is that the "[e**]" is on the right side of the ",".

Why no one told me doing something like that can make the game crashed..? *tableflip*
ah well.. just another re-scan the address, though..

Gniarf wrote:
Taking the line that accessed my gold, and going upward I'm going to try:
[["AGE.EXE"+00270818]+0005D450]+0 , unfortunately this points to 5E27****, outside the region at 0x44000000
[["AGE.EXE"+00270818]+0005E85C]+0 , same as above
[["AGE.EXE"+00270818]+0005D3D0]+0 , points to 4400575C which is in the same region as my gold, so I'll use this as my BoR1 pointer.
The topmost offset to my gold will thus be 44061be0-4400575C=5C484, and finally the gold pointer will be [["AGE.EXE"+00270818]+0005D3D0]+5C484.
If you encounter a bunch of "int 3" before finding a valid pointer, give up. Normally, if you restart (exit+reopen) the game, this will still point to your gold without you having to do any kind of work.


Okay~ i got the list and the one needed for my Pointer..
it's something like here in my La Dea..

Code:
AGE.EXE+1B7B8 - C2 0400               - ret 0004
AGE.EXE+1B7BB - 8B 10                 - mov edx,[eax]
AGE.EXE+1B7BD - 8B 81 08D70500        - mov eax,[ecx+0005D708] <--------
AGE.EXE+1B7C3 - 8B 14 90              - mov edx,[eax+edx*4]
AGE.EXE+1B7C6 - 8B 81 94EB0500        - mov eax,[ecx+0005EB94] <--------
AGE.EXE+1B7CC - 89 55 FC              - mov [ebp-04],edx
AGE.EXE+1B7CF - 89 45 F8              - mov [ebp-08],eax
AGE.EXE+1B7D2 - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B7D5 - C1 C0 0B              - rol eax,0B
AGE.EXE+1B7D8 - 33 45 F8              - xor eax,[ebp-08]
AGE.EXE+1B7DB - C1 C8 19              - ror eax,19
AGE.EXE+1B7DE - 89 45 FC              - mov [ebp-04],eax
AGE.EXE+1B7E1 - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B7E4 - 5E                    - pop esi
AGE.EXE+1B7E5 - 8B E5                 - mov esp,ebp
AGE.EXE+1B7E7 - 5D                    - pop ebp
AGE.EXE+1B7E8 - C2 0400               - ret 0004


Gold's Address = 3D032D0C
[["AGE.EXE"+00270990]+0005EB94]+0 = 32xxxxxx, well.. its in the same region of the address. but when i calculated it top offset, their value isnt the same. so it's a fail.. sry, forgot about its calculated address.. didnt noted it..
[["AGE.EXE"+00270990]+0005D708]+0 = 32xxxxxx too. but when i inputed its top offset, it did have the same value with gold address, so restarted the game and voila, its the correct pointer~!
but, when i search for my next address (for Goddess' Point, the one limiting how many player's exp/items farming) i got different value for scanned address and pointed address, but it still working (when i tick s freeze box on one of it, in-game value freeze too ).. something wrong..?

Gniarf wrote:
Again, sorry the error in my previous explanation.

No probs, Sir~ at least i or someone else get to learn something for the next Eushully's..
Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285

PostPosted: Sun May 31, 2015 8:39 pm    Post subject: Reply with quote

harizsama wrote:
Gniarf wrote:

On La Dea Test 2.PNG the address of gold ends with 0C and on La Dea Test 3.PNG it ends with 24 so using topmost offset=gold address-BoR1 is a shortcut that doesn't work, I guess we'll have to do i properly, so it'll get ugly.

Errr.... so thats why both offset keep changing and their value always gone to "??" everytime i restarted (exit and re-open) the game, huh... :')
Ugh, yes... -_-

harizsama wrote:
Gniarf wrote:
A-Ok, right click on gold address->find out what access... and play until you have a result that looks like "mov e**,[e**]" the important thing is that the "[e**]" is on the right side of the ",".

Why no one told me doing something like that can make the game crashed..? *tableflip*
Hmm, 'coz no-one knew it could make the game crash? Anyway CE has 3 different debugger types in settings->debugger options. I'm using VEH debugger.

harizsama wrote:
Okay~ i got the list and the one needed for my Pointer..
it's something like here in my La Dea..

Code:
AGE.EXE+1B7B8 - C2 0400               - ret 0004
AGE.EXE+1B7BB - 8B 10                 - mov edx,[eax]
AGE.EXE+1B7BD - 8B 81 08D70500        - mov eax,[ecx+0005D708] <--------
AGE.EXE+1B7C3 - 8B 14 90              - mov edx,[eax+edx*4]
AGE.EXE+1B7C6 - 8B 81 94EB0500        - mov eax,[ecx+0005EB94] <--------
AGE.EXE+1B7CC - 89 55 FC              - mov [ebp-04],edx
AGE.EXE+1B7CF - 89 45 F8              - mov [ebp-08],eax
AGE.EXE+1B7D2 - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B7D5 - C1 C0 0B              - rol eax,0B
AGE.EXE+1B7D8 - 33 45 F8              - xor eax,[ebp-08]
AGE.EXE+1B7DB - C1 C8 19              - ror eax,19
AGE.EXE+1B7DE - 89 45 FC              - mov [ebp-04],eax
AGE.EXE+1B7E1 - 8B 45 FC              - mov eax,[ebp-04]
AGE.EXE+1B7E4 - 5E                    - pop esi
AGE.EXE+1B7E5 - 8B E5                 - mov esp,ebp
AGE.EXE+1B7E7 - 5D                    - pop ebp
AGE.EXE+1B7E8 - C2 0400               - ret 0004


Gold's Address = 3D032D0C
[["AGE.EXE"+00270990]+0005EB94]+0 = 32xxxxxx, well.. its in the same region of the address. but when i calculated it top offset, their value isnt the same. so it's a fail.. sry, forgot about its calculated address.. didnt noted it..
[["AGE.EXE"+00270990]+0005D708]+0 = 32xxxxxx too. but when i inputed its top offset, it did have the same value with gold address, so restarted the game and voila, its the correct pointer~!
*clap clap* Congratulation dude for getting a stable pointer there. You've done the hardest part.

harizsama wrote:
but, when i search for my next address (for Goddess' Point, the one limiting how many player's exp/items farming) i got different value for scanned address and pointed address, but it still working (when i tick s freeze box on one of it, in-game value freeze too ).. something wrong..?
Does freezing the pointed address still work?
If yes: the game might have multiple copies of your goddess points. Or you messed up in your scans.
Does freezing the scanned address work, but freezing the pointed address does not work?
If yes: crap, more pointer issues.

On to the encryption then~
Looking at the code sample you posted, it seems the encryption still uses rol ***,0B and ror ***,19 which is the same as in madou koukaku, so we can skip fixing that.
All you have to do is to find a pointer to one of the maaaaaaaaany instances of the crypto key. Look at your CE tet.PNG, you see all those E2 64 E3 C5 ? That was the encryption key! Actually it was 0 in encrypted form but we can use that as decryption key. (Also remember that the key changes each time you restart the game so don't go scanning for C5E364E2).
A simple way to get a pointer to the encryption key is to:
-Select your Region1 pointer ( [["AGE.EXE"+00270990]+0005D708]+0 ).
-Press ctrl+B (browse this memory region) and look around in the memory viewer's bottom pane for a sequence that repeats itself a lot.
-Make yourself a pointer to it by changing the topmost offset of a copy of the region1 pointer. You may wonder where the key begins in that sequence, well, it begins at an address that is a multiple of 4 (ie: ends with 0,4,8, or c), so your topmost offset will also be a multiple of 4.
-Once you have a working pointer to the crypto key, take the framework table below, edit the "Get crypto key" script, and replace '[["AGE.EXE"+00270990]+0005D708]-4' by your key pointer.
-Also edit the "0 here means decryption OK" with your key pointer.

When opening this table, CE will ask you if you want to execute its lua script, say "yes", it will install a custom data type called "AGE Engine encrypted int" which will allow you to see through the encryption (you can make your scans with this type), but only works after enabling "Get crypto key".

BTW:I put '[["AGE.EXE"+00270990]+0005D708]-4' as an example because in madou koukaku region1 pointer-4 pointed to the key.



Eushully framework.ct
 Description:
Generic framework table for eushully games.
(needs tweaking)

Download
 Filename:  Eushully framework.ct
 Filesize:  3.54 KB
 Downloaded:  3464 Time(s)


_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
harizsama
How do I cheat?
Reputation: 0

Joined: 30 May 2015
Posts: 7

PostPosted: Mon Jun 01, 2015 1:23 am    Post subject: Reply with quote

Gniarf wrote:
Does freezing the scanned address work, but freezing the pointed address does not work?
If yes: crap, more pointer issues.

No, both of them (scanned and pointed address) freeze in-game value when the freeze's box ticked.

Gniarf wrote:
Does freezing the pointed address still work?
If yes: the game might have multiple copies of your goddess points. Or you messed up in your scans.

Ermm.. I think the only different thing is their value. Noticed it several times before, when re-pointing the addresses. So, their address might be the same. Sry, forgot to note or SS it. Or.. you should check it by yourself.. #it'satrap

Gniarf wrote:
On to the encryption then~
Looking at the code sample you posted, it seems the encryption still uses rol ***,0B and ror ***,19 which is the same as in madou koukaku, so we can skip fixing that.
All you have to do is to find a pointer to one of the maaaaaaaaany instances of the crypto key. Look at your CE tet.PNG, you see all those E2 64 E3 C5 ? That was the encryption key! Actually it was 0 in encrypted form but we can use that as decryption key. (Also remember that the key changes each time you restart the game so don't go scanning for C5E364E2).
A simple way to get a pointer to the encryption key is to:
-Select your Region1 pointer ( [["AGE.EXE"+00270990]+0005D708]+0 ).
-Press ctrl+B (browse this memory region) and look around in the memory viewer's bottom pane for a sequence that repeats itself a lot.

Woww~ Thanks for the framework tabl- Wait, wait, wait.. i'm really so lost..
Are this between-blue-lines things the one you mean by "sequence that repeats itself a lot."?
and what do you mean by "You may wonder where the key begins in that sequence, well, it begins at an address that is a multiple of 4 (ie: ends with 0,4,8, or c)..."?

Well.. as you can see at pic below, your framework table still works perfectly fine~!
So, as long as Eushully doesnt change their games encryption method then we can use your framework table as decrypter, right?



La Dea Test 5b.PNG
 Description:
 Filesize:  321.64 KB
 Viewed:  73239 Time(s)

La Dea Test 5b.PNG


Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285

PostPosted: Mon Jun 01, 2015 2:18 am    Post subject: Reply with quote

harizsama wrote:
Are this between-blue-lines things the one you mean by "sequence that repeats itself a lot."?
Yes.
harizsama wrote:
and what do you mean by "You may wonder where the key begins in that sequence, well, it begins at an address that is a multiple of 4 (ie: ends with 0,4,8, or c)..."?
So you've got a bunch of 25 03 0C 4C 25 03 0C 4C 25 03 0C 4C 25 03 0C 4C 25 03 0C 4C 25 03 0C 4C 25 03 0C 4C, but what is the key?
25 03 0C 4C?
03 0C 4C 25?
0C 4C 25 03?
4C 25 03 0C?
Basically the question is "where does the key start?".
The answer is that the key starts at an address that ends with 0,4,8, or c, like 3100E5A0, 3100E5A4,... so if you read the 4 bytes at 3100E5A0 you'll see that the key is 25 03 0C 4C and not the 3 other possibilities.

harizsama wrote:
Well.. as you can see at pic below, your framework table still works perfectly fine~!
Yay!~~
harizsama wrote:
So, as long as Eushully doesnt change their games encryption method then we can use your framework table as decrypter, right?
Except that the framework table needs a pointer to the key -which is game specific-, yes.

The oldest eushully game I played was probably genrin no kishougun 2, released in 2003 and they were already using the same encryption, except with a different rol/ror count, so they'll probably keep using it for a while. Maybe they'll change it when they make an MMO game, but who wants a multiplayer fapping game?

Anyway for the sake of publishing this information: if eushully decides to change the rol/ror count again, edit the cheat table's lua script; inside you'll find four instances of "#14" that you'll have to replace with replace ror_count - rol_count. For example in madou koukaku you have:
Code:
AGE.EXE+1B7D5 - C1 C0 0B              - rol eax,0B
AGE.EXE+1B7D8 - 33 45 F8              - xor eax,[ebp-08]
AGE.EXE+1B7DB - C1 C8 19              - ror eax,19
rol_count=0xb=11; ror_count=0x19=25; and 25-11=14, that's where the #14 comes from. If the result is negative, add 32.


All in all congratulation and thanks for getting through this, now there is finally a tutorial on how to make working and convenient tables for eushully games.
Have an happy "いやあぁぁ、だめぇぇぇぇぇぇぇぇ" * time.

*for non japanese readers: this is what non-consenting games engines say in hentai animes.

_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
harizsama
How do I cheat?
Reputation: 0

Joined: 30 May 2015
Posts: 7

PostPosted: Mon Jun 01, 2015 6:22 am    Post subject: Reply with quote

Gniarf wrote:
Basically the question is "where does the key start?".

Yes! And my next question is, "What should i do with that key?" Very Happy

Gniarf wrote:
The oldest eushully game I played was probably genrin no kishougun 2, released in 2003 and they were already using the same encryption, except with a different rol/ror count, so they'll probably keep using it for a while.

Well, my friend got Kami no Rhapsody (Eushully newly-released game) on his PC.. I dont really interested on music-themed games, but i'll try this again there.. haha~

Gniarf wrote:
Maybe they'll change it when they make an MMO game, but who wants a multiplayer fapping game?

Ummm... Though i wont raise my hand for game like that, im sure there'll be someone out there who'll raise their hand~

Gniarf wrote:
All in all congratulation and thanks for getting through this, now there is finally a tutorial on how to make working and convenient tables for eushully games.
Have an happy "いやあぁぁ、だめぇぇぇぇぇぇぇぇ" * time.

もう... i'm the one who should be thanking.. Thank you for your guide and explanations!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites